Introduction
The threat to SME businesses from Cybercrime is severe and continuously escalating and unfortunately many businesses don’t fully appreciate the risks until its’s too late. In this blog we look at how SME business can best tackle the problem and the huge added value to be had by implementing the Government backed scheme.
The cost to businesses of Cyber Crime
The estimated cost of Cyber Crime varies, which is no wonder given the many ways that Cyber Crime impacts on businesses. There’s a whole spectrum of costs ranging from reputational damage, loss of IP and preventative cost through to fraud and theft of money from businesses bank accounts. Suffice to say, it’s an awful lot. A report from Accenture in January 2019 put it at $5.2 trillion worldwide over the next 5 years.
The threat to SME businesses
Today hacks and security breaches regularly make headline news, everyone’s aware of the problem, the puzzling question is why, despite all this, there’s a “It won’t happen to me” mindset in many SMEs.
As a provider of IT Consultancy and Support to SME businesses, the increased threat from Cyber Crime has hit home hard over the last 2 years. For us and other IT providers, Cyber Crime used to mean an occasional Malware infected PC needing to be wiped and rebuilt. In the last 2 years however, this has changed and there’s been a worrying increase in Cyber Crime targeting clients and the supply chains of our clients.
We’ve heard many horror stories involving Local SME companies being successfully targeted and them or their clients being defrauded of 6 figure sums of money. These incidents understandably are not publicised, which is the main reason why most businesses are unaware of just how severe the risk has now become.
The message that needs to hit home in Small and Medium sized businesses is that Cyber Crime isn’t just a problem for large corporations and online businesses, it’s a massive threat to every SME business that does business with a computer and the risk extends to every other business in their supply chain as a a lot of Cyber Crime is engineered through suppliers.
Cyber Criminals are opportunists
Cyber Criminals are opportunists. A common misconception is that Cyber Criminals are technical geniuses that can break into any network. Perhaps this accounts for the ‘It won’t happen to me” mindset as companies perceive that they are not lucrative enough targets. Whilst this type of hacker exists, the reality is far less glamourous. Most Cyber Crime is carried out by opportunists that either;
- Scan the Internet using readily available software looking for companies with IT vulnerabilities to exploit using well known and readily available procedures.
- Launch email phishing campaigns that use Malware that’s readily available on the Darkweb. Or Spear Phishing emails that trick companies into paying funds into their bank accounts.
The good news though is that by just implementing some relatively simple low-cost controls you can protect your business from these opportunists and prevent an estimated 80% of Cyber Crime.
The Cyber Essentials scheme
Cyber Essentials is the government backed standard containing a set of best practices that enable you to protect your IT systems from up to 80% of Cyber Crime. The great thing about Cyber Essentials is that it’s simple and therefore usually cost effective to implement. ‘Cyber Essentials’ should be considered the ‘Essentials’ of Cyber Security and thus every business that takes its data security seriously should be complying with it. Indeed, most businesses have already implemented most of the controls in some shape or form. Therefore, the process of certification can either be regarded as a simple and cost-effective process to ratify the standard and obtain the certificate, or it can be used to audit your system and find out where you can identify and address any non-compliance.
Is Cyber Essentials too basic for us?
We do occasionally hear this objection, usually when a client is being advised by a GDPR consultant. It is absolute nonsense. It’s a bit like saying that you don’t need to lock your front doors and use Window locks because you have a state-of-the-art intruder alarm and CCTV system. Cyber Essentials is a set of fundamental security controls that every business need’s. Start there and make sure they are all in place before considering more sophisticated solutions.
Cyber Essentials – The benefits
- Peace of mind. As a business owner manager you can rest assured in the knowledge that your business is properly protected from Cyber Crime.
- Public Sector contracts. Cyber Essentials is now mandatory for all Public Sector contractors in Scotland and for many Public Sector contracts across the rest of the UK.
- Private Sector contracts. More and more private sector organisations are now mandating Cyber Essentials for all of their supply chains. As Certification can take some time, businesses are well advised to have in place before they are asked.
- Reduced Costs. In some sectors obtaining Cyber Essentials can result in very attractive cost savings to insurance premiums. Professional Indemnity insurance in the legal sector is one such example.
- Improved GDPR. With the introduction of GDPR every business is required to ensure that they are protecting their personal data and there are potentially very substantial penalties for not doing so. Implementing Cyber Essentials is great way of ensuring that your business has the technical and some of the organisational controls in place to adequately protect your data. It’s by no means a panacea for GDPR because there are many additional organisational controls and processes that are required, but it’s an excellent way of demonstrating best practice with your data protection.
- Improved regulatory compliance. For any business with industry regulations Cyber Essentials provides a great vehicle to tick off most of their Data protection regulations. Indeed, regulators will look to the Cyber Essential framework to develop their own regulatory standards. An investment in Cyber Essentials therefore is always going to be valuable and relevant in this respect.
- ISO Standards particularly ISO27001. Whilst ISO 27001 is a broader standard applying to all information security management not just Cyber and Data. Cyber Essentials is an excellent precursor. For organisations looking to obtain ISO 27001, Cyber Essential can be a value part of their roadmap enable the organisation to demonstrate good standards of Data Protection prior to obtaining ISO 27001 or other ISO standards.
How to become Cyber Essentials certified
There are 2 phases to becoming Cyber Essentials plus certified:
Readiness
To make the process of certification cost effective its best to commence the certification process once you know your infrastructure is ready. Connexion’s Cyber Essentials readiness service consists of a Gap Analysis and External and internal Vulnerability scans by one of our GCHQ approved Cyber Security consultants. Once the gaps and vulnerabilities have been identified they will be quickly mitigated so that your organisation is set to begin the Certification audit.
Certification
Connexion provide a fixed fee Certification service with a ‘No Certification no Fee guarantee’. Our Certification Partner Xyone Cyber Security will complete an onsite audit of your infrastructure and will provide a report, if a pass isn’t issued immediately Connexion will address any non-compliances until a pass is issued guaranteed in under 30 days.
Free Cyber Essentials Certification Webinar
As a Xyone trusted channel partner Connexion provide a complete Cyber Essentials Certification solution in partnership with Xyone an approved Certifier. If you are interested in understanding the process in more detail, we are running the following free webinar with Xyone. This is a great opportunity to understand the whole process and ask any questions. Please register here
